follow up to r1641077: one bug was traded for another in r1641077; track the response length and the cached object length separately to avoid such confusion

mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large. The one byte "ok" flag stored with the response was accounted for in the wrong condition.

Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).

Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).

Move OCSP stapling information from a per-certificate store (ex_data attached to an X509 *) to a per-server hash which is allocated from the pconf pool. Fixes PR 54357, PR 56919 and a leak with the certinfo_free cleanup function (missing OCSP_CERTID_free). * modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add ssl_stapling_certid_free (used with apr_pool_cleanup_register). Switch to a stapling_certinfo hash which is keyed by the SHA-1 digest of the certificate's DER encoding, rework ssl_stapling_init_cert to only store info once per certificate (allocated from the pconf to the extent possible) and extend the logging. * modules/ssl/ssl_private.h: adjust prototype for ssl_stapling_init_cert, replace ssl_stapling_ex_init with ssl_stapling_certinfo_hash_init * modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls Based on initial work by Alex Bligh <alex alex.org.uk>

ssl_stapling_init_cert: do not return success when no responder URI is found stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty

Address a todo listed in https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E "init functions should return status code rather than ssl_die()" For diagnostic purposes, ssl_die() is still there, but instead of abruptly exit(1)ing, it will return APR_EGENERAL to the ssl_init_* callers in ssl_engine_init.c, and these will propagate the status back to ssl_init_Module.

Typo

Pass the server_rec to ssl_die() and use it to log a message to the main error log, pointing to the appropriate virtual host error log

Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 or later, so that mod_ssl retains binary compatibility with future versions when internal structures are changed. Use API functions where available, and fall back to direct access for OpenSSL up to 1.0.0, where needed. Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was never used by any released version of mod_ssl.

Add some more log message tags Remove some log message tags from ap_log_* calls that log lots of different error messages, in particular the config parsing errors. Not sure how we should handle those. ssl_util.c: Downgrade some dynamic locking messages from level DEBUG to TRACE1-3

Add lots of unique tags to error log messages

Cleanup effort in prep for GA push: Trim trailing whitespace... no func change

Use correct type, need OPENSSL_STRING for >= 1.0 which doesn't exist on 0.9.8 so #define sk_OPENSSL_STRING_pop to sk_pop on 0.9.8

Consistently use loglevel emerg before ssl_die()

Make sure OCSP Stapling Mutex is initiliased if we need it. PR 49498

Catch up with ap_[proc|global]_mutex_create api change

Catch up ssl to socache store expiry change, and clarify what the code is doing

Style guides at httpd are pretty clear, macro values are UPCASE, please?

Fix default OSCP stapling port. Submitted by: Dr Stephen Henson <steve openssl.org>

Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex, and WatchdogMutexPath with a single Mutex directive. Add APIs to simplify setup and user customization of APR proc and global mutexes. (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer respected; set DEFAULT_REL_RUNTIMEDIR instead. Some existing modules, such as mod_ldap and mod_auth_digest gain configurability for their mutexes.

We now check for OCSP support in configure, so we can lose an OpenSSL version number check. Use a type safe STACK.

* modules/ssl/ssl_util_stapling.c (stapling_cache_response): Use apr_time_now() rather than time(). Reported by: rpluem.

* modules/ssl/ssl_util_stapling.c (stapling_cb): Use mySrvFromConn(), thanks to rpluem.

* module/ssl/ssl_util_stapling.c: Style fixes, no functional change.

fixed indents.

converted tabs, removed trailing spaces.

Add support for OCSP "stapling": * modules/ssl/ssl_util_stapling.c: New file. * modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it. * modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS extension support enabled). * modules/ssl/mod_ssl.c: Add config directives. * modules/ssl/ssl_private.h: Add prototypes for new functions. (SSLModConfigRec): Add fields for stapling socache instance and associated mutex. (modssl_ctx_t): Add config fields for stapling. * modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child): Call the stapling initialization functions. * modules/ssl/ssl_engine_config.c: Add config hooks. * modules/ssl/ssl_scache.c: Create, initialize and destroy the socache instance for OCSP responses. Submitted by: Dr Stephen Henson <shenson oss-institute.org>